CN108306846B - Network access abnormity detection method and system - Google Patents
Network access abnormity detection method and system Download PDFInfo
- Publication number
- CN108306846B CN108306846B CN201710026113.2A CN201710026113A CN108306846B CN 108306846 B CN108306846 B CN 108306846B CN 201710026113 A CN201710026113 A CN 201710026113A CN 108306846 B CN108306846 B CN 108306846B
- Authority
- CN
- China
- Prior art keywords
- information
- detected
- network information
- network
- preset condition
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a method and a system for detecting network access abnormity. The method comprises the following steps: acquiring network information to be detected, wherein the network information to be detected comprises user information and a service name; acquiring a matching model which is established in advance and corresponds to the user information and the service name; and according to the matching model, if the network information to be detected is judged to meet the preset condition, the network information to be detected is abnormal information. The system is used for executing the method. According to the embodiment of the invention, whether the network information to be detected is abnormal or not is judged according to the acquired network information to be detected and the acquired matching model corresponding to the user information and the service name in the network information to be detected, so that the detection of the network abnormality of the specific service and the specific user access is realized.
Description
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a method and a system for detecting network access abnormity.
Background
The abnormal traffic management is an important work in the information security management work. The potential risk that current abnormal flow arouses is huge, but lacks effectual detection management mechanism, can't effectively solve the security risk and the influence that the inside abnormal flow of enterprise brought through single flow detection equipment.
The work of network traffic anomaly detection is continuously developed, Roy and Frank define the concepts of normal behavior and abnormal behavior of the network, and traffic anomaly detection methods can be divided into two major categories, namely static detection methods and dynamic detection methods. Static detection methods include constant threshold detection methods and adaptive threshold detection methods. A normal parameter baseline is usually established based on historical data, and the alarm threshold is changed by the adaptive learning ability of the system during the operation of the network. The dynamic detection method comprises a detection method based on statistics and a detection method based on wavelets. The most common statistical detection method in practice is the Generalized Likelihood Ratio (GLR) test. The GLR considers two adjacent time windows r (t) and s (t) and a window c (t) formed by combining the two windows, each window is fitted by using an autoregressive model (AR), and a likelihood ratio test method is applied to detect abnormal changes occurring between the two windows. When the likelihood of the two windows exceeds a certain set threshold, the boundary of the two windows is considered to be abnormal. Amy Ward et al propose another statistical detection method, which establishes a set of network parameters under normal operation of the network and generates an alarm when the parameters have a deviation that does not conform to the normal operation. For example, network traffic on weekdays accounts for a significant portion of the total traffic, while internal network traffic on holidays is negligible. The network traffic on the working day shows the condition that the traffic suddenly changes between the rest time and the working time, such as: the morning work hours and the midday rest hours, and the afternoon work hours can divide the flow of the working day into three stages. In the first stage, the flow rate change trend changes dramatically from zero to some extent; the second phase is the midday rest, where there are two sudden changes in flow, namely: a sudden decrease in the afternoon hours or a sudden increase in the morning hours; the third stage is after work, and the flow rate is in a stable state after being reduced. Such a traffic situation occurs periodically on a weekday. Therefore, in the detection methods in the prior art, whether network traffic has an abnormality is found through different dimensions of the traffic itself, but an office system, a mail system, a video system, a news system, and the like may exist in the network.
Therefore, how to detect network access abnormality for a specific service is an urgent issue to be solved today.
Disclosure of Invention
Aiming at the problems in the prior art, the embodiment of the invention provides a method and a system for detecting network access abnormity.
In one aspect, an embodiment of the present invention provides a method for detecting network access abnormality, including:
acquiring network information to be detected, wherein the network information to be detected comprises user information and a service name;
acquiring a matching model which is established in advance and corresponds to the user information and the service name;
and according to the matching model, if the network information to be detected is judged to meet the preset condition, the network information to be detected is abnormal information.
In another aspect, an embodiment of the present invention provides a system for detecting network access abnormality, including:
the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring network information to be detected, and the network information to be detected comprises user information and a service name;
the second acquisition module is used for acquiring a pre-established matching model corresponding to the user information and the service name;
and the detection module is used for judging whether the network information to be detected meets the preset conditions according to the matching model, and if so, determining that the network information to be detected is abnormal information.
According to the network access abnormity detection method and system provided by the embodiment of the invention, whether the network information to be detected is abnormal or not is judged according to the acquired network information to be detected and the acquired matching model corresponding to the user information and the service name in the network information to be detected, so that the abnormity detection of the specific service and the network access abnormity of the specific user is realized.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic flow chart of a network access anomaly detection method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a URL access sequence detection structure provided in an embodiment of the present invention;
fig. 3 is a schematic overall flow chart of a network access anomaly detection method according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a network access anomaly detection system according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a system for detecting network access anomalies according to another embodiment of the present invention;
fig. 6 is a schematic structural diagram of a system for detecting network access anomalies according to yet another embodiment of the present invention;
fig. 7 is a schematic structural diagram of an entity of a network access anomaly detection system according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic flow chart of a network access anomaly detection method according to an embodiment of the present invention, as shown in fig. 1, the method includes:
step 101: acquiring network information to be detected, wherein the network information to be detected comprises user information and a service name;
specifically, when a user accesses a network, network information accessed by the user is obtained in real time, wherein the network information to be detected includes user information and a service name, the user information may be an IP address of a terminal used by the user or a user ID, the invention is not particularly limited to this, and the service name is a service name corresponding to a service to be accessed by the user. It should be noted that the user accesses different hierarchies, and the corresponding network information to be detected is different, for example: when a user accesses a service corresponding to a network layer, the network information to be detected comprises IP quintuple information besides user information and a service name; when a user accesses a transmission layer, the network information to be detected also comprises connection frequency and uplink and downlink quantity information; when a user accesses the application layer, the network information to be detected also comprises a URL or request frequency; when the user accesses the service layer, the network information to be detected also includes the request type.
Step 102: acquiring a matching model which is established in advance and corresponds to the user information and the service name;
specifically, a corresponding matching model is established according to the specific service name accessed by a specific user, in daily work, service systems (such as a client resource management system, a production system, a source code management system and the like) accessed by each person are different, habits (such as access time and access frequency) of accessing the service systems are different, and periodicity (such as days, weeks and months) of access is different, so that whether the behavior of a certain user is abnormal can be accurately identified only by establishing the corresponding matching model according to the condition that each person accesses each service. For example: establishing a business access connection relation model of a user; establishing a conventional service access model by learning and recording the access behaviors and habits of a user; and establishing an operation model based on service access and the like by recording and calculating the conventional network access frequency and the service access frequency of the user. Therefore, a pre-established matching model corresponding to the user information and the service name can be obtained.
Step 103: and according to the matching model, if the network information to be detected is judged to meet the preset condition, the network information to be detected is abnormal information.
Specifically, the acquired network information to be detected is compared with a matching model corresponding to the network information to be detected, if the network information to be detected meets a preset condition, the network information to be detected is abnormal information, and otherwise, the network information to be detected is normal.
According to the embodiment of the invention, whether the network information to be detected is abnormal or not is judged according to the acquired network information to be detected and the acquired matching model corresponding to the user information and the service name in the network information to be detected, so that the detection of the network abnormality of the specific service and the specific user access is realized.
On the basis of the above embodiment, the method further includes:
acquiring historical network information, wherein the historical network information comprises the user information, a service name, an access sequence corresponding to the service name and an access rule;
and establishing the matching model corresponding to the user information and the service name according to the access sequence and the access rule.
Specifically, before performing anomaly detection on network information to be detected, a matching model needs to be established. And acquiring historical network information and storing the historical network information in a split or mirror mode. The method comprises the steps of capturing a network data packet in historical network information, identifying a network protocol from the network data packet, obtaining a service access sequence and an access rule corresponding to the network information to be detected according to the network protocol, and establishing a matching model corresponding to user information and a service name according to the service access sequence and the access rule.
In addition, before the matching model is established, the behavior of the user needs to be learned, for example: when a user accesses a certain service, the service flow of the user when the user accesses the service is learned and recorded, if the user inquires five-tuple information, the user opens a browser, then inputs the five-tuple information or the five-tuple in a search box, and then the user searches for explanation related to the five-tuple according to the search result. Based on the user access process, the business access process of the user is learned, the sequence of the user accessing each business process is recorded, and the matching model can be established after learning is completed.
According to the embodiment of the invention, the matching model corresponding to the user information and the service name is established through the access sequence and the access rule and is used for comparing with the network information to be detected, so that whether the network information to be detected is abnormal information or not is determined, and the accuracy of detection is improved.
On the basis of the above embodiment, the preset condition includes any one or a combination of the following first preset condition, second preset condition, third preset condition and fourth preset condition, where:
the first preset condition includes: the target address in the network information to be detected is not in the accessible address set in the matching model;
the second preset condition includes: the URL access sequence in the network information to be detected is inconsistent with the URL access sequence in the matching model;
the third preset condition includes: the network access frequency corresponding to the network information to be detected is greater than a first preset threshold value in the matching model within first preset time;
the fourth preset condition includes: and in a second preset time, the request frequency corresponding to the network information to be detected is greater than a second preset threshold value in the matching model.
Specifically, when a user needs to access a certain service, a target address corresponding to the service exists in network information to be detected, correspondingly, an accessible address set corresponding to the user and the service exists in a matching model corresponding to the user and the service, and if the target address in the network information to be detected is not in the accessible address set, the network information to be detected is abnormal information;
fig. 2 is a schematic view of a URL access sequence detection structure provided in an embodiment of the present invention, as shown in fig. 2, if a user wants to access a module 1 of a service 1, an access flow is as follows:
(1) the user accesses the home page, http:// home page;
(2) the user carries out identity authentication, http:// auth;
(3) the user accesses a service 1, http:// service 1;
(4) the user accesses the service 1-module 1, and the http:// service 1-module 1;
if the URL access sequence is found in the matching model corresponding to the module 1 of the user access service 1, the URL which is not subjected to identity verification by the system directly enters the access service 1, and the URL is regarded as abnormal; or module 1 accessing service 1 directly after user authentication, is also considered as abnormal. It should be noted that the URL access sequence is considered as abnormal as long as it is different from the URL access sequence in the matching model.
Since the access of the user to a certain service is regular, if the user frequently accesses the certain service in the first preset time, that is, the network access frequency corresponding to the to-be-detected network information corresponding to the service is greater than the first preset threshold value in the matching model, the service is regarded as abnormal.
Correspondingly, in a second preset time, after the request frequency corresponding to the network information to be detected is greater than a second preset threshold value in the matching model, it indicates that the frequency of the request sent by the user is too high, and at this time, the user is also considered as abnormal.
It should be noted that, as long as at least one of the first preset condition, the second preset condition, the third preset condition and the fourth preset condition is met, it may be determined that the network information to be detected is abnormal information, and the first preset time and the second preset time may be adjusted according to an actual situation, which is not limited in the embodiment of the present invention.
The embodiment of the invention is used for judging whether the network information to be detected is abnormal or not through specific preset conditions, thereby improving the detection accuracy.
On the basis of the above embodiments, the method further includes:
and generating alarm information according to the abnormal information and outputting the alarm information.
Specifically, if the network information to be detected is judged to be abnormal information, alarm information is generated according to the abnormal information and is output for prompting relevant management personnel.
The embodiment of the invention generates the alarm information by taking the network information to be detected as the abnormal information and outputs the alarm information for reminding relevant personnel to carry out operations such as repair and the like in time.
On the basis of the above embodiment, the alarm information is output in a mail alarm, a page alarm or a short message alarm manner.
Specifically, the warning information may be sent to the relevant manager in the form of an email in the email warning manner, or a warning page may be automatically popped up in the page warning manner when the relevant manager logs in the system, or a short message warning manner may be used, and it may be understood that the above manner may also be used for warning at the same time.
According to the embodiment of the invention, whether the network information to be detected is abnormal or not is judged according to the acquired network information to be detected and the acquired matching model corresponding to the user information and the service name in the network information to be detected, so that the detection of the network abnormality of the specific service and the specific user access is realized.
Fig. 3 is a schematic overall flow chart of a network access anomaly detection method provided in the embodiment of the present invention, as shown in fig. 3:
step 301: acquiring historical network information; the historical network information comprises user information and a service name;
step 302: extracting an access sequence and an access rule; acquiring a network protocol corresponding to the historical network information according to the historical network information, and acquiring a corresponding access sequence and an access rule from the network protocol;
step 303: establishing a matching model; establishing a matching model corresponding to the user information and the service name according to the access sequence and the access rule;
step 304: acquiring network information to be detected; the network information to be detected comprises user information and a service name;
step 305: obtaining a matching model; acquiring a matching model corresponding to the service name of the user information;
step 306: matching judgment; comparing the obtained matching model with the network information to be detected, if the network information to be detected meets the preset condition, indicating that the network information to be detected is abnormal information, and performing step 307; otherwise, ending the detection; the preset conditions are not described herein again;
step 307: alarming; and generating alarm information according to the abnormal information, outputting the alarm information in a mail alarm, page alarm or short message alarm mode, and finishing detection after outputting.
According to the embodiment of the invention, whether the network information to be detected is abnormal or not is judged according to the acquired network information to be detected and the acquired matching model corresponding to the user information and the service name in the network information to be detected, so that the detection of the network abnormality of the specific service and the specific user access is realized.
Fig. 4 is a schematic structural diagram of a network access anomaly detection system according to an embodiment of the present invention, as shown in fig. 4, the system includes a first obtaining module 401, a second obtaining module 402, and a detection module 403, where:
the first obtaining module 401 is configured to obtain network information to be detected, where the network information to be detected includes user information and a service name; the second obtaining module 402 is configured to obtain a matching model corresponding to the pre-established user information and the service name; the detection module 403 is configured to determine that the network information to be detected is abnormal information if it is determined that the network information to be detected meets a preset condition according to the matching model.
Specifically, the first obtaining module 401 obtains network information accessed by a user, where the network information is to-be-detected network information, where the to-be-detected network information includes user information and a service name, the user information may be an IP address of a terminal used by the user or a user ID. It should be noted that the user accesses different hierarchies, and the corresponding network information to be detected is different. The second obtaining module 402 obtains a pre-established matching model corresponding to the user information and the service name, the detecting module 403 compares the obtained network information to be detected with the matching model corresponding to the network information to be detected, if the network information to be detected meets a preset condition, it is indicated that the network information to be detected is abnormal information, otherwise, the network information to be detected is normal.
The embodiment of the system provided by the present invention may be specifically configured to execute the processing flows of the above method embodiments, and the functions of the system are not described herein again, and refer to the detailed description of the above method embodiments.
According to the embodiment of the invention, whether the network information to be detected is abnormal or not is judged according to the acquired network information to be detected and the acquired matching model corresponding to the user information and the service name in the network information to be detected, so that the detection of the network abnormality of the specific service and the specific user access is realized.
On the basis of the foregoing embodiment, fig. 5 is a schematic structural diagram of a network access anomaly detection system according to another embodiment of the present invention, and as shown in fig. 5, the system includes: a first obtaining module 401, a second obtaining module 402, a detecting module 403 and a model building module 404, wherein:
the model building module 404 is configured to obtain historical network information, where the historical network information includes the user information, a service name, an access sequence corresponding to the service name, and an access rule; and establishing the matching model corresponding to the user information and the service name according to the access sequence and the access rule.
Specifically, the first obtaining module 401, the second obtaining module 402, and the detecting module 403 are consistent with the above embodiments, and are not described herein again. Before anomaly detection is performed on network information to be detected, a matching model needs to be established. The model building module 404 obtains historical network information and stores the historical network information in a split or mirrored manner. The method comprises the steps of capturing a network data packet in historical network information, identifying a network protocol from the network data packet, obtaining a service access sequence and an access rule corresponding to the network information to be detected according to the network protocol, and establishing a matching model corresponding to user information and a service name according to the service access sequence and the access rule.
According to the embodiment of the invention, the matching model corresponding to the user information and the service name is established according to the access sequence and the access rule and is used for comparing with the network information to be detected, so that whether the network information to be detected is abnormal information or not is determined, and the accuracy of detection is improved.
On the basis of the above embodiment, the preset condition includes any one or a combination of the following first preset condition, second preset condition, third preset condition and fourth preset condition, where:
the first preset condition includes: the target address in the network information to be detected is not in the accessible address set in the matching model;
the second preset condition includes: the URL access sequence in the network information to be detected is inconsistent with the URL access sequence in the matching model;
the third preset condition includes: the network access frequency corresponding to the network information to be detected is greater than a first preset threshold value in the matching model within first preset time;
the fourth preset condition includes: and in a second preset time, the request frequency corresponding to the network information to be detected is greater than a second preset threshold value in the matching model.
Specifically, when a user needs to access a certain service, a target address corresponding to the service exists in network information to be detected, correspondingly, an accessible address set corresponding to the user and the service exists in a matching model corresponding to the user and the service, and if the target address in the network information to be detected is not in the accessible address set, the network information to be detected is abnormal information;
if the URL access sequence in the network information to be detected is not consistent with the URL access sequence in the matching model, the network information to be detected is abnormal information;
since the user will present regularity to the access of a certain service, if the user frequently accesses the certain service in the first preset time, that is, the network access frequency corresponding to the network information to be detected is greater than the first preset threshold value in the matching model, the user is regarded as abnormal.
Correspondingly, in a second preset time, after the request frequency corresponding to the network information to be detected is greater than a second preset threshold value in the matching model, it indicates that the frequency of the request sent by the user is too high, and at this time, the user is also considered as abnormal.
It should be noted that, as long as at least one of the first preset condition, the second preset condition, the third preset condition and the fourth preset condition is met, it may be determined that the network information to be detected is abnormal information, and the first preset time and the second preset time may be adjusted according to an actual situation, which is not limited in the embodiment of the present invention.
The embodiment of the system provided by the present invention may be specifically configured to execute the processing flows of the above method embodiments, and the functions of the system are not described herein again, and refer to the detailed description of the above method embodiments.
The embodiment of the invention is used for judging whether the network information to be detected is abnormal or not through specific preset conditions, thereby improving the detection accuracy.
On the basis of the foregoing embodiment, fig. 6 is a schematic structural diagram of a network access anomaly detection system according to another embodiment of the present invention, as shown in fig. 6, the system includes: a first obtaining module 401, a second obtaining module 402, a detecting module 403, a model establishing module 404 and an alarming module 405, wherein:
the alarm module 405 is configured to generate alarm information according to the abnormal information and output the alarm information.
Specifically, the first obtaining module 401, the second obtaining module 402, the detecting module 403, and the model establishing module 404 are consistent with the above embodiments, and are not described herein again. Specifically, if the network information to be detected is judged to be abnormal information, alarm information is generated according to the abnormal information and is output for prompting relevant management personnel.
The embodiment of the invention generates the alarm information by taking the network information to be detected as the abnormal information and outputs the alarm information for reminding relevant management personnel to carry out operations such as repair and the like in time.
On the basis of the above embodiment, the alarm information is output in a mail alarm, a page alarm or a short message alarm manner.
Specifically, the warning information may be sent to the relevant manager in the form of an email in the email warning manner, or a warning page may be automatically popped up in the page warning manner when the relevant manager logs in the system, or a short message warning manner may be used, and it may be understood that the above manner may also be used for warning at the same time.
According to the embodiment of the invention, whether the network information to be detected is abnormal or not is judged according to the acquired network information to be detected and the acquired matching model corresponding to the user information and the service name in the network information to be detected, so that the detection of the network abnormality of the specific service and the specific user access is realized.
Fig. 7 is a schematic structural diagram of an entity of a network access anomaly detection system according to an embodiment of the present invention, and as shown in fig. 7, the system includes: a processor (processor)701, a memory (memory)702, and a bus 703; wherein the content of the first and second substances,
the processor 701 and the memory 702 complete mutual communication through the bus 703;
the processor 701 is configured to call the program instructions in the memory 702 to execute the methods provided by the above-mentioned method embodiments, for example, including: acquiring network information to be detected, wherein the network information to be detected comprises user information and a service name; acquiring a matching model which is established in advance and corresponds to the user information and the service name; and according to the matching model, if the network information to be detected is judged to meet the preset condition, the network information to be detected is abnormal information.
The present embodiment discloses a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the method provided by the above-mentioned method embodiments, for example, comprising: acquiring network information to be detected, wherein the network information to be detected comprises user information and a service name; acquiring a matching model which is established in advance and corresponds to the user information and the service name; and according to the matching model, if the network information to be detected is judged to meet the preset condition, the network information to be detected is abnormal information.
The present embodiments provide a non-transitory computer-readable storage medium storing computer instructions that cause the computer to perform the methods provided by the above method embodiments, for example, including: acquiring network information to be detected, wherein the network information to be detected comprises user information and a service name; acquiring a matching model which is established in advance and corresponds to the user information and the service name; and according to the matching model, if the network information to be detected is judged to meet the preset condition, the network information to be detected is abnormal information.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
The above-described embodiments of the system and the like are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (8)
1. A method for detecting network access abnormality is characterized by comprising the following steps:
acquiring network information to be detected, wherein the network information to be detected comprises user information and a service name;
acquiring a matching model which is established in advance and corresponds to the user information and the service name;
according to the matching model, if the network information to be detected is judged to meet the preset conditions, the network information to be detected is abnormal information;
the method further comprises the following steps:
acquiring historical network information, wherein the historical network information comprises the user information, a service name, an access sequence corresponding to the service name and an access rule;
and establishing the matching model corresponding to the user information and the service name according to the access sequence and the access rule.
2. The method according to claim 1, wherein the preset condition comprises any one or a combination of the following first preset condition, second preset condition, third preset condition and fourth preset condition, wherein:
the first preset condition includes: the target address in the network information to be detected is not in the accessible address set in the matching model;
the second preset condition includes: the URL access sequence in the network information to be detected is inconsistent with the URL access sequence in the matching model;
the third preset condition includes: the network access frequency corresponding to the network information to be detected is greater than a first preset threshold value in the matching model within first preset time;
the fourth preset condition includes: and in a second preset time, the request frequency corresponding to the network information to be detected is greater than a second preset threshold value in the matching model.
3. The method according to any one of claims 1-2, further comprising:
and generating alarm information according to the abnormal information and outputting the alarm information.
4. The method of claim 3, wherein the alarm message is output as a mail alarm, a page alarm or a short message alarm.
5. A system for detecting network access anomalies, comprising:
the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring network information to be detected, and the network information to be detected comprises user information and a service name;
the second acquisition module is used for acquiring a pre-established matching model corresponding to the user information and the service name;
the detection module is used for judging whether the network information to be detected meets a preset condition according to the matching model, and if so, determining that the network information to be detected is abnormal information;
the system further comprises:
the model establishing module is used for acquiring historical network information, wherein the historical network information comprises the user information, the service name, the access sequence corresponding to the service name and the access rule; and establishing the matching model corresponding to the user information and the service name according to the access sequence and the access rule.
6. The system according to claim 5, wherein the preset condition comprises any one or a combination of the following first preset condition, second preset condition, third preset condition and fourth preset condition, wherein:
the first preset condition includes: the target address in the network information to be detected is not in the accessible address set in the matching model;
the second preset condition includes: the URL access sequence in the network information to be detected is inconsistent with the URL access sequence in the matching model;
the third preset condition includes: the network access frequency corresponding to the network information to be detected is greater than a first preset threshold value in the matching model within first preset time;
the fourth preset condition includes: and in a second preset time, the request frequency corresponding to the network information to be detected is greater than a second preset threshold value in the matching model.
7. The system according to any one of claims 5-6, further comprising:
and the alarm module is used for generating alarm information according to the abnormal information and outputting the alarm information.
8. The system of claim 7, wherein the alarm message is output as a mail alarm, a page alarm or a short message alarm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710026113.2A CN108306846B (en) | 2017-01-13 | 2017-01-13 | Network access abnormity detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710026113.2A CN108306846B (en) | 2017-01-13 | 2017-01-13 | Network access abnormity detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108306846A CN108306846A (en) | 2018-07-20 |
| CN108306846B true CN108306846B (en) | 2020-11-24 |
Family
ID=62872459
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710026113.2A Active CN108306846B (en) | 2017-01-13 | 2017-01-13 | Network access abnormity detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108306846B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108683551B (en) * | 2018-08-08 | 2021-09-14 | 武汉思普崚技术有限公司 | Pipeline type flow control method and device |
| CN109164786B (en) * | 2018-08-24 | 2020-05-29 | 杭州安恒信息技术股份有限公司 | Abnormal behavior detection method, device and equipment based on time-dependent baseline |
| CN113037728B (en) * | 2021-02-26 | 2023-08-15 | 上海派拉软件股份有限公司 | Risk judgment method, device, equipment and medium for realizing zero trust |
| CN114615034B (en) * | 2022-03-01 | 2023-09-29 | 中铁第四勘察设计院集团有限公司 | Control method, device, processing equipment and storage medium for service transmission |
| CN114900356A (en) * | 2022-05-06 | 2022-08-12 | 联云(山东)大数据有限公司 | Malicious user behavior detection method and device and electronic equipment |
| CN116582367B (en) * | 2023-07-13 | 2023-09-22 | 北京立思辰安科技术有限公司 | Data processing system for blocking firewall network communication |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102098756A (en) * | 2009-12-15 | 2011-06-15 | 华为技术有限公司 | Method, device and system for service control |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101902366B (en) * | 2009-05-27 | 2014-03-12 | 北京启明星辰信息技术股份有限公司 | Method and system for detecting abnormal service behaviors |
| CN102609789A (en) * | 2012-02-21 | 2012-07-25 | 复旦大学 | Information monitoring and abnormality predicting system for library |
| CN105812200B (en) * | 2014-12-31 | 2019-09-13 | 中国移动通信集团公司 | Anomaly detection method and device |
| CN104994076A (en) * | 2015-06-01 | 2015-10-21 | 广东电网有限责任公司信息中心 | Machine-learning-based daily access model implementation method and system |
-
2017
- 2017-01-13 CN CN201710026113.2A patent/CN108306846B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102098756A (en) * | 2009-12-15 | 2011-06-15 | 华为技术有限公司 | Method, device and system for service control |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108306846A (en) | 2018-07-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108306846B (en) | Network access abnormity detection method and system | |
| US11586972B2 (en) | Tool-specific alerting rules based on abnormal and normal patterns obtained from history logs | |
| CN110798472B (en) | Data leakage detection method and device | |
| US9479518B1 (en) | Low false positive behavioral fraud detection | |
| US9516041B2 (en) | Cyber security analytics architecture | |
| WO2019007306A1 (en) | Method, device and system for detecting abnormal behavior of user | |
| TW201629824A (en) | Anomaly detection using adaptive behavioral profiles | |
| CN113765881A (en) | Method and device for detecting abnormal network security behavior, electronic equipment and storage medium | |
| CN107682345B (en) | IP address detection method and device and electronic equipment | |
| US10855703B2 (en) | Dynamic detection of unauthorized activity in multi-channel system | |
| CN107689956B (en) | Threat assessment method and device for abnormal event | |
| US11074652B2 (en) | System and method for model-based prediction using a distributed computational graph workflow | |
| US9800596B1 (en) | Automated detection of time-based access anomalies in a computer network through processing of login data | |
| CN109446768B (en) | Application access behavior abnormity detection method and system | |
| CN110363381B (en) | Information processing method and device | |
| CN111611519A (en) | Method and device for detecting personal abnormal behaviors | |
| CN111163073A (en) | Flow data processing method and device | |
| CN109005181B (en) | Detection method, system and related components for DNS amplification attack | |
| CN110727563A (en) | Cloud service alarm method and device for preset customer | |
| CN116991675A (en) | Abnormal access monitoring method and device, computer equipment and storage medium | |
| CN112565228A (en) | Client network analysis method and device | |
| CN116738369A (en) | Traffic data classification method, device, equipment and storage medium | |
| CN109598525B (en) | Data processing method and device | |
| US11973779B2 (en) | Detecting data exfiltration and compromised user accounts in a computing network | |
| CN112422333B (en) | Distribution network condition determining method, system and related device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |